{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3658", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T19:11:49.990Z", "datePublished": "2026-03-19T11:15:30.688Z", "dateUpdated": "2026-03-19T16:05:21.373Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-19T11:15:30.688Z"}, "affected": [{"vendor": "croixhaug", "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.6.10.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, including usernames, email addresses, and password hashes."}], "title": "Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67c7b9b2-e73f-47fe-aecc-14e998a607c8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1171"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-api-model.php#L140"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-type-model.php#L907"}, {"url": "https://plugins.trac.wordpress.org/changeset/3485143/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "momopon1415"}], "timeline": [{"time": "2026-03-06T19:27:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-18T22:37:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T16:05:12.140765Z", "id": "CVE-2026-3658", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:05:21.373Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3658", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T16:05:12.140765Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:05:17.303Z"}}], "cna": {"title": "Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "momopon1415"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "croixhaug", "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.6.10.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-06T19:27:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-18T22:37:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67c7b9b2-e73f-47fe-aecc-14e998a607c8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1171"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-api-model.php#L140"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-type-model.php#L907"}, {"url": "https://plugins.trac.wordpress.org/changeset/3485143/"}], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, including usernames, email addresses, and password hashes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-19T11:15:30.688Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3658", "state": "PUBLISHED", "dateUpdated": "2026-03-19T16:05:21.373Z", "dateReserved": "2026-03-06T19:11:49.990Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-19T11:15:30.688Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, including usernames, email addresses, and password hashes."}], "id": "CVE-2026-3658", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-19T12:16:18.807", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-type-model.php#L907"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-api-model.php#L140"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1171"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3485143/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67c7b9b2-e73f-47fe-aecc-14e998a607c8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.6.10.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin", "source": "cna", "vendor": "croixhaug"}, "product": "appointment_booking_calendar_\u2014_simply_schedule_appointments_booking_plugin", "vendor": "croixhaug"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T12:20:28.440215+00:00", "value": {"mitigation_remediation": ["Upgrade the Appointment Booking Calendar plugin to a version newer than 1.6.10.0 as released by the vendor or through the WordPress plugin repository.", "If an update is not immediately available, disable the plugin or remove external access to the 'fields' parameter to prevent injection attempts.", "Ensure the WordPress core, themes, and all other plugins are updated to their latest secure releases."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "All installations of the Appointment Booking Calendar plugin version 1.6.10.0 or earlier are affected. The plugin is distributed under the brand croixhaug:Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin. No specific vendor patch notes are available in the supplied data; the fix is presumed to be included in any release newer than 1.6.10.0.", "description_and_impact": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'fields' parameter in all versions up to 1.6.10.0. The vulnerability arises from insufficient escaping of user\u2011supplied input and the absence of prepared statements in the existing SQL query. This flaw allows attackers to append arbitrary SQL commands, enabling the extraction of sensitive data such as usernames, email addresses, and password hashes from the database. The weakness is identified as CWE-89, indicating a classic SQL injection scenario.", "risk_and_exploitability": "The CVSS Base Score for this issue is 7.5, indicating high severity. EPSS data is not available, so the current exploitation probability is uncertain, but the flaw is known to be exploitable by unauthenticated users. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending a crafted request to the 'fields' parameter, causing the plugin to execute injected SQL statements."}}}}, "created": "2026-03-20T08:56:55.117949+00:00", "updated": "2026-03-20T14:15:05.098333+00:00", "vendors": ["croixhaug", "croixhaug$PRODUCT$appointment_booking_calendar_\u2014_simply_schedule_appointments_booking_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}